2

I'm trying to figure out how to detect whether a binary has been compressed with UPX. I am using a simple CRC to detect whether my app was in any way changed and if the CRC failed on the size due to a packer I would like to detect that as OK.

Right now I am starting with UPX.

So, is there any marker on the binary? are there any specific JMP or other instructions that I should search?
This will mainly be tested in Windows, but in the future I might add it to Linux as well.

Any help (and code) is appreciated.

ADDED:

I found that in the 10 binaries I checked the

AddressOfEntryPoint
Import Directory RVA
Resouce Directory RVA

either point to UPX or have an offset that is set by UPX. Any information on this?

Thanks

4

2 回答 2

2

从下载upx源代码从UPX 主页并打开src/p_w32pe.cpp文件;您正在寻找的功能是;

int PackW32Pe::canUnpack()

此函数检查文件是否使用 win32 upx 压缩。

于 2011-01-03T14:08:59.107 回答
0

您可以尝试检查可执行文件的部分名称。UPX 将它们更改为 UPX0、UPX1、UPX2,我相信。

于 2011-01-03T16:35:34.730 回答